A few weeks ago I showed you how to stop the spammers from swamping you with bogus emails from your comment and IDX system. You can read more about that: “How to Reduce SPAM“. I also dabbled a bit for your website forms and discussed the idea of Akismet, the Honeypot, and CAPTCHA.
One of the better answers I had at the time to the problem was to enable a combo of all three (Akismet, Honeypot, and Captcha). But now I think I have an even better answer!
You’re going to hate me for this but I think we need a small review first, shall we? I promise I’ll be very general and very quick.
AKISMET:
Akismet is a product of WordPress.com and is a stand alone plugin or bundled inside of JetPack. Either way you get it, it works somewhat by ‘crowdsourcing’. When a person (or bot) tries to leave a comment or submit a form Akismet gathers the data (IP address, name, email, text and links) that they have and tosses it a database. The same thing is happening on other websites across the world. If enough people mark a comment or submission as spam, Akismet sees that and denies them of actually submitting their crap. It’s pretty cool.
THE HONEYPOT:
Remember Pooh Bear getting his hand stuck, or his head? The Honeypot is aptly named. The Honeypot is simply a form field that doesn’t show up on the form to you and me, it does show up to a bot though. The computer program used to mass submit spam looks at the code for the fields they need to fill out. One of those fields (in the code) is the bait. If they enter anything into this field we got them! SPAM Denied! For humans, we never even see this field as it’s hidden from our view so we can never get stuck in the honeypot.
CAPTCHA:
I think we all know what this is. We’ve seen a few versions in our brief time on the internet. CAPTCHA stands for the “Completely Automated Public Turing test to tell Computers and Humans Apart” – did you know that?
That makes sense and we can see how it might work when we’re supposed to write the words we see in 2 smudged images (these were called CAPTCHA Ver 1) or click all the boxes that contain Justin Bieber (this is called CAPTCHA Ver 2). Google is working on a new version (Ver 3) that will work quietly in the background and you’ll never even know you passed / failed!
THE PROBLEM:
Each of these systems will work to some degree but are not foolproof. The bad guys are always getting smarter and finding ways to get around any roadblock we construct. For instance, the way around Akismet is to create new and unique identifying factors and we know how easy that would be for a computer. To get around a Honeypot you just need to train your program to identify the trap fields ahead of time. To beat a CAPTCHA they started using humans to identify the words or objects. Using all three in combination worked well for a while.
One of the ideas floating around would be to identify one single aspect that is common with all of these spammers and then block that and thereby block them all. You’re pretty smart and I bet you are going to say,
“Yeah, just block them at the I.P. level,
that’ll get those rat ba$tards!”
and that would be pretty smart. Except they use millions of different I.P. addresses with new ones being added every day.
THE ANSWER:
The truth is there’s no answer. No, I’m not clickbaiting you. The truth is that nothing will ever be foolproof, but…
I have found a solution and it’s pretty simple. It’s based off the idea of finding that one common aspect all of these emails have (and real ones do not).
THE SOLUTION: (you have to click to see)
Yeah, I’m kind of hiding this from the spammers. 🙂
In looking at these emails and the problem everyone is having I was searching the message boards and forums that developers normally hang out in. I came across this very simple idea (It wasn’t mine and I have long since forgotten where or who it was).
The Solution is to simply hide the SUBMIT button based on some aspect that would be common to all the SPAM emails.
The one common aspect in most of these messages is that they contain a link (URL) of sorts. That link is almost always put in a body of text that is in the bulk area of the message.
Conditional Formatting:
Conditional formatting just means that we can create if/then statements. That’s not high level programming stuff. It’s simple “if this happens or doesn’t happen, then do that” kind of stuff – that’s all.
So if most of the spammers want to include a URL in their submission, and all of the URLs start with http… I can simply tell my form that if the message body contains “http” to NOT show the SUBMIT Button! Simple, right?
Here’s a secret video on Conditional Formatting:
GO AHEAD, TEST MY FORM
UPDATE:
Like I mentioned before, it’s always going to be a see saw battle. The spammers were blocked and then figured a way around and started putting the links into the “Name” field. Ugh!
ok, so a little addition to my solution will now cover ALL of the fields.
Get My Newsletter
All I need is your email
Photo by Kelly Sikkema, Nadine Shaabana, and Jose Aragones on Unsplash
He's an avid hockey fan, rides a mountain bike, sometimes rides a road bike, has a few motorcycles (he had a really fast one, bought a cool orange one, rode a really slow one, and now,a perfect "BDR Weapon"). If that isn't enough, he makes cheese and sourdough bread, loves strong beer and good red wine, and poorly plays the Mandolin.
- WordPress powers 40% of the internet! - February 17, 2021
- An Introduction to Lead Capture - August 18, 2020
- How To Stop “Form Spammers” (better) - November 19, 2019